2.1.b Local privilege authorization fallback
Three normally used methods to verify user credentials at a switch port are:
1. To configure username and password locally, use the command at global configuration mode of the switch:
Username <username> password <password>
2. To define authentication using RADIUS, use the command
Radius-server host {<hostname | <ip-address>} [key string]
3. To define the server along with its secret shared password.
Define a group name that will contain a list of servers using the command:
Switch(config)# aaa group server {radius | tacacs+) <group-name>
4. Now, define each server of the group by using the command:
Switch(config)#server <ip-address>
5. If you have more than one RADIUS or TACACS servers, repeat the above command for each server.
Locally configured username and password are enabled by default on a switch. If there is any other authentication scheme defined, it is tried first before using local authentication. You can disable local authentication when other authentication methods are in use. You configure username and password for local authentication on a switch by using the command:
Switch(config)# username <user name> password <password>
You define a radius server for user authentication by using the command
Switch(config)#radius-server host {host-name | ip-address} [key string]
[key string] is the password that is shared between the switch and the radius server.
The command :
Switch(config)# aaa group server radius <group-name>
is used to define the group name that will contain a list of servers.
The command :
Switch(config)# aaa authentication login default radius
specifies that the default login method is RADIUS.
